Responsible disclosure policy

At Kiwa, we consider the security of our ICT systems and our websites of utmost importance. We therefore strive for the highest possible level of security. Despite the great care we take with respect to ICT security, weaknesses can still remain. We ask you not to abuse a vulnerability, but to report the issue to us so that we can take the necessary measures.

Have you found a vulnerability in our websites or in one of our other (online) systems? Then please report your findings to us as soon as possible. Do that before you announce the 'leak' to the outside world, so we can solve it as quickly as possible.

We would like to work together to better protect our systems and to remedy a vulnerability as soon as possible. Our responsible disclosure policy is however not an invitation to actively scan our business network to discover weak points.

Report a vulnerability

Please inform us if you have found a vulnerability. Keep in mind the following:

  • Email your findings as quickly as possible to responsibledisclosure@kiwa.nl
  • Give adequate information allowing the vulnerability to be reproduced, so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability are enough, although more information might be necessary for more complex vulnerabilities.
  • Include your contact details (email address or telephone number) so we can contact you.
  • Do not share the information about the vulnerability with others until it has been resolved.
  • Be responsible with your knowledge about the vulnerability. Do not perform any actions beyond what is necessary to demonstrate it.

Does your report meet these conditions? Then there will be no legal repercussions.

Do not abuse a weak spot

If you discover a vulnerability, do not take advantage of it by, for example:

  • installing malware;
  • copy, modify or delete data in a system or create a directory listing;
  • make changes to the system;
  • repeatedly gaining access to the system or sharing access with others;
  • move laterally, or further into our systems;
  • make use of brute forcing to access the systems;
  • make use of denial-of-service or social engineering.

How we deal with your report

Have you reported a weak spot in one of our ICT systems or websites? Then we will treat your report as follows:

  • You will receive a confirmation of your report within one working day.
  • We will respond to your report within five working days. Our response contains an assessment of the report and an expected date for a solution.
  • We will keep you informed about the progress of solving the problem.
  • We will treat your report confidentially and we will not share your personal data without your permission with third parties, unless we are required to do so by law or by a court order.

Solution for a vulnerability

We will resolve a reported security problem as quickly as possible, but always within 60 days. Together with you (the reporter of the issue), we will determine whether and how we report about the problem. If we communicate about an issue, we will only do that after we will have solved it.

Finally

Kiwa may revise the policy with respect to the responsible disclosure if there is reason to do so. The current policy is always on this page.

Rijswijk, Holland, December 2018.